Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Pug is a high-performance template engine heavily influenced by Haml and implemented with JavaScript for Node.js and browsers. It provides a clean and easy-to-read syntax that helps in writing HTML templates. Pug templates are compiled into HTML and can be rendered in the browser or on the server.
HTML Generation
Pug allows you to write simplified syntax that compiles into HTML. The above code will generate a standard HTML5 document structure with a title and a heading.
doctype html
html(lang='en')
head
title My Site
body
h1 Welcome to My Site
Dynamic Content
You can use variables in Pug to dynamically insert content into your templates. The above code will output an h1 tag with the user's name.
- var user = { name: 'John Doe' }
h1= user.name
Conditionals
Pug supports conditional statements, allowing you to render different parts of your template based on certain conditions. In this example, the h1 tag will only be rendered if the user is logged in.
- var user = { loggedIn: true }
if user.loggedIn
h1 Welcome back!
Loops
Pug provides a way to iterate over arrays and objects with loops. This code will produce an unordered list with each fruit as a list item.
- var items = ['Apple', 'Banana', 'Cherry']
ul
each item in items
li= item
Mixins
Mixins in Pug are reusable blocks of Pug that can be included anywhere in your templates. The above mixin creates a hyperlink, and it is used to add a link to Google.
mixin link(href, name)
a(href=href)= name
+link('http://google.com', 'Google')
Includes and Extends
Pug allows you to include content from other Pug files and extend templates to create a base template (layout) that can be shared across multiple pages. The 'index.pug' extends 'layout.pug' and provides content for the title and body blocks.
// layout.pug
doctype html
html
head
block title
body
block content
// index.pug
extends layout.pug
block title
title My Page
block content
h1 My Page Content
Handlebars is a popular templating engine that uses a more Mustache-like syntax. It is known for its simplicity and ease of use. Unlike Pug, which uses indentation to define structure, Handlebars uses double curly braces for expressions and does not rely on whitespace.
EJS, or Embedded JavaScript templates, is another alternative to Pug. It embeds raw JavaScript code within templates and uses angle brackets and percent signs to delimit JavaScript code. EJS syntax is more similar to traditional HTML, which might be easier for beginners.
Mustache is a logic-less template syntax that can be used for HTML, config files, source code - anything. It works by expanding tags in a template using values provided in a hash or object. Mustache is simpler than Pug and does not support features like loops and conditionals directly within the template.
Nunjucks is inspired by Jinja2 and is a powerful templating engine with block inheritance, auto-escaping, macros, asynchronous control, and more. It has a syntax more verbose than Pug's and can be more familiar to those who have worked with HTML before.
Full documentation is at pugjs.org
Pug is a high performance template engine heavily influenced by Haml and implemented with JavaScript for Node.js and browsers. For bug reports, feature requests and questions, open an issue. For discussion join the chat room.
You can test drive Pug online here.
This project was formerly known as "Jade." However, it has been revealed to us that "Jade" is a registered trademark, and as a result a rename is needed. After some discussion among the maintainers, "Pug" has been chosen as the new name for this project. The next major version will carry "pug" as the package name.
If your package or app currently uses jade
, don't worry: we have secured permissions to continue to occupy that package name, although all new versions will be released under pug
.
Before the renaming, we had already begun working on an incompatible Jade 2.0.0. We have then made it so that this new major version bump will coincide with the rename to Pug. Therefore, upgrading from Jade to Pug will be the same process as upgrading any other package with a major version bump. Currently, Pug 2.0.0 is still under beta stage, and there are several syntactic differences we have deprecated and removed. Such differences are documented at #2305.
The website and documentation for Pug are still being updated, but if you are new to Pug, you should get started with the new syntax and install the Pug package on npm.
via npm:
$ npm install pug
After installing the latest version of Node.js, install with:
$ npm install pug-cli -g
and run with
$ pug --help
Pug is a clean, whitespace sensitive syntax for writing html. Here is a simple example:
doctype html
html(lang="en")
head
title= pageTitle
script(type='text/javascript').
if (foo) bar(1 + 5)
body
h1 Pug - node template engine
#container.col
if youAreUsingPug
p You are amazing
else
p Get on it!
p.
Pug is a terse and simple templating language with a
strong focus on performance and powerful features.
becomes
<!DOCTYPE html>
<html lang="en">
<head>
<title>Pug</title>
<script type="text/javascript">
if (foo) bar(1 + 5)
</script>
</head>
<body>
<h1>Pug - node template engine</h1>
<div id="container" class="col">
<p>You are amazing</p>
<p>Pug is a terse and simple templating language with a strong focus on performance and powerful features.</p>
</div>
</body>
</html>
For full API, see pugjs.org/api/reference.html
var pug = require('pug');
// compile
var fn = pug.compile('string of pug', options);
var html = fn(locals);
// render
var html = pug.render('string of pug', merge(options, locals));
// renderFile
var html = pug.renderFile('filename.pug', merge(options, locals));
filename
Used in exceptions, and required when using includescompileDebug
When false
no debug instrumentation is compiledpretty
Add pretty-indentation whitespace to output (false by default)The latest version of pug can be download for the browser in standalone form from here. It only supports the very latest browsers though, and is a large file. It is recommended that you pre-compile your pug templates to JavaScript.
To compile a template for use on the client using the command line, do:
$ pug --client --no-debug filename.pug
which will produce filename.js
containing the compiled template.
Tutorials:
Implementations in other languages:
Other:
MIT
FAQs
A clean, whitespace-sensitive template language for writing HTML
The npm package pug receives a total of 1,208,205 weekly downloads. As such, pug popularity was classified as popular.
We found that pug demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.